You might assume that signing people up to an email newsletter doesn't require a Privacy Policy. After all, a newsletter is all about sending out information rather than collecting it, aside from the user's email address.

However, an email address is considered to be protected personal information under a number of privacy laws, and these laws require a Privacy Policy.

Luckily, creating a Privacy Policy to cover a newsletter and displaying it in a legally-compliant way won't be too much of a burden.

Here's what you need to know.


Why Do I Need a Privacy Policy For an Email Newsletter?

While you might think of a newsletter as you providing information to the reader, by definition you need to collect and store the reader's email address so that you can send the newsletter.

An email address counts as personal data under most relevant privacy laws and regulations and is therefore enough to trigger requirements for Privacy Policies.

Beyond the purely legal requirement, having a Privacy Policy may increase your audience. A potential subscriber will be reassured by you having a Privacy Policy and will be more likely to trust you not to misuse their email address. In turn, they'll be more confident about signing up.

Which Laws Require a Privacy Policy For an Email Newsletter?

Which Laws Require a Privacy Policy For an Email Newsletter?

Depending on your location, multiple laws could require a Privacy Policy when you collect an email address. These laws include the following.

California Online Privacy Protection Act (CalOPPA)

CalOPPA applies to any commercial website or online service that collects personal data about an individual consumer who lives in California. It doesn't matter where the site is based.

An email address meets the law's criteria of being "personally identifiable information."

CalOPPA requires a Privacy Policy to do several things. The ones relevant to an email address include:

  • Telling users if and how they can review and edit their stored personal data
  • Telling users how you will inform them of any changes to the Privacy Policy
  • Telling users if you will pass on data to other parties

Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)

CAN-SPAM's applicability is determined by putting email messages into three categories:

  • Commercial (for example, for advertising or promotion)
  • Transactional or relationship (for example, for updating a customer about an order they placed)
  • Other (for example, a newsletter about a particular topic)

CAN-SPAM applies if the primary purpose of the message is commercial.

If a message contains content that falls into more than one of the categories, CAN-SPAM's applicability depends on factors such as how much space is given to each type of content, the order in which the different types of content appear in the message, and the subject line.

Some of the requirements of CAN-SPAM are specific to sending emails: for example, you must accurately identify who is sending the message, identify when a message is an advertisement, and avoid deceptive subject lines.

CAN-SPAM doesn't specifically require a Privacy Policy or cover how you handle a subscriber's email address. However, it does specifically require that you make it clear how a customer can opt out of future emails and that if they do opt-out, you update your mailing list within 10 days. It also says you can't pass on email addresses to a third party once the subscriber opts-out.

Both of these points could be covered within a Privacy Policy that might also address how you handle the email address while the user is still signed up to the newsletter.

General Data Protection Regulation (GDPR)

The GDPR covers the use of data relating to an individual who can be directly or indirectly identified. This means the data itself could identify the person, or that the data can combine with other information to identify them.

Although the GDPR is a European Union law, it doesn't matter where the data is physically stored or processed. Instead, the GDPR applies when:

  • The organization that processes the data operates in a European Union country, or
  • The organization that processes the data offers goods or services to individuals who are in a European Union country

Processors must follow six principles under the GDPR when collecting and processing personal data. These are:

  • Process data lawfully, fairly and transparently
  • Only collect data for a stated, lawful purpose
  • Only collect the minimum amount of data necessary for the stated purpose
  • Make sure the stored data is accurate and update it if needed
  • Delete data when it's no longer needed for the stated purpose
  • Protect the data against unauthorized access, modification or deletion

Part of the transparency requirement is to clearly inform users of how the processor complies with the six principles. A Privacy Policy is normally the most practical way to do this.

This example from MedMastery details compliance with the GDPR:

MedMastery Newsletter Privacy Policy: GDPR Legal Bases clause

Note how it mentions that MailChimp is used to send out emails, and specifically makes mention of the GDPR and its legal bases for sending out its newsletter.

Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA generally applies where a private sector organization in Canada collects or processes personal data while carrying out a commercial activity. Key exceptions include:

  • Organizations already covered by general data privacy laws in Alberta, British Columbia or Quebec
  • Organizations already covered by health data privacy laws in Labrador, New Brunswick, Newfoundland and Nova Scotia
  • Non-profit groups, charities and political parties (unless engaged in commercial activities that aren't related to the group's main purpose)
  • Some federal government organizations

PIPEDA always applies if data is passed across provincial borders or shared internationally. It also always applies to federally regulated organizations.

While most personal data is covered, including personal email addresses, PIPEDA doesn't cover a business email address that's collected and used only for communicating in relation to the person's job. However, a newsletter won't qualify for this exemption because it is a general communication rather than written specifically for one person.

PIPEDA requires the organization collecting and handling data to follow 10 detailed principles. As an overview, the organization must do the following:

  • Designate a staff member to be accountable for complying with PIPEDA
  • Decide and explain why it is collecting the data
  • Get the consent of the individual to collect the data
  • Collect only data needed for the stated purpose
  • Only use the data for the stated purpose and delete it when no longer needed for that purpose
  • Make sure the data is accurate, up-to-date and complete
  • Safeguard the data against security risks
  • Publicly detail the privacy policies and procedures. This usually means publishing a Privacy Policy.
  • Let the individual check and correct the stored data
  • Let the individual challenge any non-compliance

As you can see, the best way to comply with this is to have a Privacy Policy that discloses thorough information.

Have a Privacy Policy

Have a Privacy Policy

If you collect email addresses, you need to have a Privacy Policy and in it you should note the following:

  • You collect and store email addresses (and any other collected data)
  • You use the email addresses for sending out your newsletter
  • Whether or not you share the email addresses with anyone else
  • How the user can request that you delete their email address from your records
  • How often you will send newsletters and a general outline of what they will and won't include
  • Exactly how the user can unsubscribe from the newsletter
  • Whether and how the user can unsubscribe from the newsletter but still have you keep their address on file, for example for dealing with their online orders

This example from The Drum shows what data it collects, why it uses it, and how it uses it. It also notes the third party it uses for processing its email newsletter and links to that third party's Privacy Policy. For GDPR compliance, it includes a link to how transfers of information outside of the EEA are safeguarded:

The Drum Privacy Policy: Newsletters clause excerpt

This example from MySociety shows how it includes information about the newsletter in its general clause about what information the company collects:

MySociety Privacy Policy: What information we collect and how we use it clause - Excerpt for email newsletter

It also includes an informative clause for how to go about unsubscribing from the newsletter:

MySociety Privacy Policy: How to unsubscribe from the Newsletter Clause

Remember to also include an unsubscribe link at the bottom of every email newsletter you send out.

Where to Display Your Privacy Policy

Where to Display Your Privacy Policy

There are a number of ways that you can make sure your Privacy Policy is made available to anyone who wants to sign up for your newsletter. You'll want to add your Privacy Policy link to these three places:

  • Your website footer
  • In the email newsletter sign-up form or landing page
  • In each email newsletter you mail out

Your users know to look here, and it will be available on every page of the website for easy access.

Here's a standard example of a footer menu from Co-op:

Co-op website footer with Privacy Policy link highlighted

You can link to the Privacy Policy at the point where a user is about to sign up for the newsletter. This is a good option if you want to be certain the user has a reasonable opportunity to see the policy before signing up.

Appropriately, given the newsletter's topic, this example from the New York Times includes a Privacy Policy link right by the sign-up button:

NYTimes Privacy Project: Email sign-up form

You can even add a clickwrap checkbox here and have your users click a box to agree with your Privacy Policy before they can sign up and submit their email addresses. Here's how Neil Patel does this by linking the Privacy Policy and adding a consent checkbox to the place where he requests user email addresses:

Neil Patel sign-up form for email subscriptions with I Agree checkboxes

This is an important step if you have users in the EU as it complies with the GDPR's requirements for obtaining consent.

Linked to Each Newsletter

You should include a link to your Privacy Policy in every newsletter you send out. Make the link part of the template so that you guarantee it appears each time.

Here's an example from Comcast:

Screenshot of Comcast email footer

While using a link in the newsletter can help customers, it's not sufficient as the only place where users can read the policy. The various laws covered in this article require that a Privacy Policy help the user decide whether to give consent to the collection of their data. That means they must have a reasonable opportunity to know about and see the policy before they provide their email address in signing up to the newsletter.

Conclusion

Let's recap what you need to know and do if you have an email newsletter.

  • Simply collecting a customer's email address counts as collecting personal data and triggers a range of legal requirements for Privacy Policies depending on your location and that of your subscribers. Become familiar with specific laws you may fall under.
  • Make your Privacy Policy available to your users before, during and after they subscribe to your email newsletters, such as by incorporating a link into your website footer, in the sign-up form, and in every newsletter you sign out.
  • Include information in your Privacy Policy about your collection and use of email addresses.
  • Allow subscribers the ability to opt out at any time. Note this in your Privacy Policy as well as in each email newsletter you send out.

How to Create a Privacy Policy

FreePrivacyPolicy: Privacy Policy Generator - Steps How to Create Privacy Policy

Our Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display.

  1. Start the Free Privacy Policy Generator, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Add your website or app information:
  7. FreePrivacyPolicy: Privacy Policy Generator - Add your website or app information - Step 3

  8. Answer a few questions about what information you collect from your users:
  9. FreePrivacyPolicy: Privacy Policy Generator -  What information you collect - Step 4

  10. Select options for how your users can contact you:
  11. FreePrivacyPolicy: Privacy Policy Generator - How your users can contact - Step 5

  12. Select whether or not you wish to create a Professional Privacy Policy that would include wording for GDPR and CalOPPA:
  13. FreePrivacyPolicy: Privacy Policy Generator - Select what Privacy Policy you want to create - Step 6

  14. Enter your email address where you'd like your new Privacy Policy sent:
  15. FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 7

  16. Click Create Privacy Policy and you're done. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
  17. FreePrivacyPolicy: Privacy Policy Generator - Copy or link to your hosted Privacy Policy - Step 8